Is Microsoft ready for the SP2 tightrope?

commentary Nearly everyone concerned with IT security seems to agree that Microsoft’s forthcoming Service Pack 2 for Windows XP may be the most significant component yet in the company's Trustworthy Computing initiative. Everyone, that is, but Microsoft.

commentaryIn a recent interview, Steve Gibson, president of Gibson Research,
told me that Microsoft's forthcoming Service Pack 2 for Windows XP should
probably be renamed "Security Pack 2." In fact, nearly everyone who has anything
to do with IT security seems to agree that SP2 may be the most significant
component yet in Microsoft's Trustworthy Computing initiative. Everyone but
Microsoft, that is.

Is Microsoft in a bit of a pickle when it comes to SP2, especially now that
companies like Red Hat are turning up the heat on
the desktop side of Linux? Or, will the company continue to be untouchable --
especially on the desktop side of the equation -- in spite of a wave of security
problems that seems to never stop nagging Windows users?

It's quite remarkable how, considering the untold sums of money that
businesses have spent on damage control as a result of all the attacks targeting
Windows, Outlook, Office, Internet Information Server and SQL Server, that IT
users have largely stuck by Microsoft and its products. Name another product or
service that, over time (in the case of Microsoft, over five years), has
subjected its users to such enduring risk or dissatisfaction that they haven't
switched.

It didn't take long, for example, for the demand for Ford's Pinto to wither
once the car established a track record for blowing up after suffering a
rear-end collision. It only takes one bad experience in service or meal quality
to keep most of us from returning to a restaurant. Russ Cooper, Surgeon General
at TruSecure, one of the world's largest IT risk management solution providers,
draws a parallel to the situation in Iraq where, "after some of its soldiers
were killed in an attack, the people of Spain installed a new president who
immediately withdrew Spain's troops."

According to TruSecure, which is platform agnostic and has been tracking all
known vulnerabilities and their associated costs since the dawn of Melissa, the
top 10 infections dating back to March 1999 all targeted users of Microsoft
software. According to the company's statistics, the total cost of damages in
August 2003 alone as a result of the two biggest transgressions so far -- Sobig
and Blaster -- registered at US$3.5 billion.

Even if there was some magical threshold that, once crossed, triggered a
shift en masse to an alternative OS, TruSecure's Cooper warned that it will only
lead organizations to a false sense of security. "Microsoft is targeted because
it has 95 percent of the user base," said Cooper. "If the user base shifts, so
too will the attackers. And guess what? The same companies and users that were
affected before will be affected again because it was their lack of attention to
security that ultimately left them exposed."

Yet, despite all of our fickleness, we continue to use Microsoft
technologies. Compared to the way other "decisions" are dropped like hot
potatoes, demand for many of Microsoft's products has persevered through the
worst of times.

About the only Microsoft product to suffer a significant market share setback
has been Internet Information Server, the company's Web server. Though the trend
cannot be officially attributed to security concerns, according to the most
recent NetCraft Web
Server Survey, Apache's gain in market share for top servers across all
domains since March 2002 closely mirrors Microsoft's IIS' loss in market share
since that date. Shortly before IIS' market share started falling off its peak,
Gartner security analyst John Pescatore recommended that, in the name of security, companies stop using IIS altogether. It's the
only time I can remember that a widely respected research outfit recommended
switching products as a technique for improving security. Even so, demand for
IIS remains healthy.

Pescatore, offers a simple explanation for why Microsoft has endured a
situation that would have brought down most companies, including restaurants.
"There's no monopoly restaurant. If there was, you'd keep going to it. Most of
the viable alternatives to Microsoft's solutions are on the server side," said
Pescatore "That explains why Apache has done well at IIS' expense. But on the
desktop, what the government said is true: Microsoft has a monopoly. For
Gartner's clients, the cost of switching is simply too prohibitive."

TruSecure's Cooper agreed: "The cost of switching exceeds the cost of
recovering from an attack." While TruSecure's damage tallies tell one story,
they don't tell the other: Many companies, after suffering through an attack due
to lax security procedures, will often batten the hatches. While you needed to
be running a Microsoft product to fall prey to any of the top ten invasions, few
if any users have been stricken with all ten. Companies tend to get religious
about security after the first serious transgression. Although the headlines
make the situation look bad, the reality is that not every company is suffering
from every infection.

Even more evidence of Microsoft's resilience was contained in Pescatore's
discussion of how almost none of Gartner's clients are trying out Linux or Mac
on the desktop for security reasons. "The Mac is a known quantity," said
Pescatore. "Most companies have a few Macs and if they felt that they could
switch desktops to solve their security problems, they'd switch to the Mac.
That's because they could continue to run Microsoft Office, which runs on the
Mac, while avoiding most of the security problems." For this reason, Pescatore
said, any movement to Linux desktops will be cost-driven rather than
security-driven, and it will take years before Linux stands a chance of catching
Apple on the desktop. His prediction doesn't bode well for the open source
operating system's chances of putting a dent in Windows.

With SP2 around the bend, Microsoft's seemingly unbreakable grip on the
desktop begs the question of whether there's any threshold that, once crossed,
could ignite an exodus from Windows. Although SP2 is being hailed as a major
stake in the ground for Microsoft from a security perspective, Microsoft can
still afford some post-SP2 transgressions without suffering any major setbacks.
This could explain why the company is being so careful not to over promise when
it comes to SP2. Recall that prior to Windows XP shipping in October 2001,
Microsoft was hailing the operating system as a significant step forward on the
security front. Yet, the security patches, including one that plugged a serious
Universal Plug and Play vulnerability, began flowing within weeks and caused
doubts about whether Microsoft could rein in its security problems.

Two and a half years later, two things are certain. First, there will be
follow-up security patches to SP2. This is unavoidable and, to the extent that
no operating system is without such patches, Microsoft should not be regarded as
incompetent as a result of such patches. Second, there will be a post-SP2
outbreak of one sort or another and, technically speaking, it will be like most
other successful hacks: It will take advantage of a known vulnerability and
afflict systems that have failed to apply SP2 or a subsequent patch. As a
result, Microsoft will get a fair amount of unjustified
"this-is-proof-that-your-trustworthy-computing-initiative-isn't-working" grief.

Greg Sullivan, a lead product manger for Microsoft Windows, is well aware of
Microsoft's dilemma. Referring to the never ending cycle of vulnerability
discovery, followed by patch publication, sub-100 percent deployment, and
"successful" incursion, Sullivan noted that "there are no silver bullets. The
cat and mouse game will never end. It's the nature of the business."

Ironically, according to Pescatore, instead of encouraging a defection to
desktop Linux or Mac, a lack of confidence in Windows XP will, for many
organizations, prolong an already overdue migration from Windows 2000.
Furthermore, according to Pescatore, as the IT world maps out its architectural
shift to a Web services orientation where the desktop plays an increasingly
diminished role (giving way to mobile devices like BlackBerries), confidence in
other Microsoft products, especially ones like PocketPC that Microsoft has plans
for in the Web services ecosystem, could be undermined.

Microsoft is caught between a rock and a hard place. Its customers are
looking for soothing words from the company that its Trustworthy Computing
Initiative is making great progress. Yet, Microsoft must be careful about
over-billing any single fruit of that labor (such as SP2). Only disappointment
can follow. Microsoft's Sullivan is aware of the challenge. "At the same time
we're telling users how important a particular upgrade or patch is and why, we
can't ever leave them with the impression that we're done," said Sullivan. "In
an effort to get fixes installed on a more widespread and timely basis, we have
to do a better job of communicating and we have to make deployment easier. We
also want customers to know that we're in the [security] game on a permanent
basis."

If the recent Sasser outbreak is any indication of whether Microsoft is
getting better at the security game, things could be looking up for the company
and Windows users. In the three weeks since the patch became available, it has
been downloaded from Microsoft's site over 200 million times-- a record,
according to Sullivan.

Unfortunately, no matter what Microsoft does, it cannot escape the ghosts of
technologies past, even when it's making that sort of progress. Microsoft,
therefore, will tout many of the great security features in SP2 (and they are
great). But don't expect it to be making any promises. The technology will have
to speak for itself and, hopefully, most of us will be able to tell when the
technology is talking, and when it's a ghost.

Thank You

By registering you become a member of the CBS Interactive family of sites and you have read and agree to the Terms of Use, Privacy Policy and Video Services Policy. You agree to receive updates, alerts and promotions from CBS and that CBS may share information about you with our marketing partners so that they may contact you by email or otherwise about their products or services.
You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.